Privacy Policy
Your personal data is safe on gruppocarillo.it - Our data protection policy ensures that personal data is used exclusively for order management purposes, including shipping of ordered products and communications related to orders, returns, withdrawals, payments, and invoicing.
We also guarantee that provided email addresses will never be disclosed to third parties but will be used exclusively for sending newsletters and promotions related to our business.
All data provided to Gruppo Carillo on the website accessible at https://www.gruppocarillo.it during registration and subsequently for the use of services provided by Gruppo Carillo will be processed in compliance with the provisions of Legislative Decree 196/2003 on personal data protection (“Privacy Code”) and Article 13 of EU Regulation No. 2016/679 (hereinafter, “GDPR”).
Gruppo Carillo S.p.A., CF and VAT No. 03192251217 (hereinafter, “Controller”), as the data controller, informs you pursuant to Article 13 of Legislative Decree 30.6.2003 No. 196 (hereinafter, “Privacy Code”) and Article 13 of EU Regulation No. 2016/679 (hereinafter, “GDPR”) that your data will be processed in the following ways and for the following purposes:
1. Object of Processing
The Controller processes personal and identifying data (such as name, surname, company name, address, phone number, email, banking and payment details) - hereinafter, “personal data” or simply “data” - provided by you when concluding contracts for the Controller’s services.
2. Purpose of Processing
Your personal data is processed:
2.A) Without your express consent (Article 24 letters a), b), c) of the Privacy Code and Article 6 letters b), e) GDPR) for the following Service Purposes:
- Concluding contracts for the Controller’s services;
- Fulfilling pre-contractual, contractual, and tax obligations arising from existing relationships with you;
- Complying with legal obligations, regulations, EU legislation, or orders from Authorities (such as anti-money laundering regulations);
- Exercising the Controller’s rights, such as the right to defense in legal proceedings;
- Mandatory legal obligations in tax and accounting matters;
- After-sales assistance;
- Dispute management;
- Customer management;
- Quality management;
- Activity planning;
- Measuring customer satisfaction;
2.B) Only with your specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 GDPR) for the following Marketing Purposes:
- Sending via email, post, SMS, and/or telephone contacts newsletters, commercial communications, and/or advertising material on products or services offered by the Controller and measuring satisfaction regarding service quality.
Please note that if you are already our customer, we may send you commercial communications regarding services and products similar to those you have already used, unless you object (Article 130, paragraph 4 of the Privacy Code).
The processing of data necessary to fulfill these obligations is essential for the proper management of the relationship, and providing such data is mandatory to achieve the above-mentioned purposes. The Controller also informs that failure to provide or incorrect communication of any mandatory information may make it impossible for the Controller to ensure proper processing.
Every processing activity complies with Articles 6 and 32 of the GDPR and includes the adoption of appropriate security measures.
The confidentiality of data provided by users is a fundamental priority for the company, which commits to adopting the most suitable measures to prevent loss, misappropriation, and disclosure of users’ personal information to prevent unauthorized uses.
To this end, the company undertakes to adopt and constantly implement technologies and means aimed at protecting such information.
However, given the vastness and complexity of web-connected IT systems, as well as the impossibility of ensuring absolute protection of data transmissions taking place within them, the company cannot guarantee complete confidentiality of information received or sent through the server.
By accepting this privacy policy, the user releases the company from any liability in the event of a security breach.
3. Processing Methods
Your personal data is processed through operations referred to in Article 4 of the Privacy Code and Article 4 No. 2) GDPR, specifically: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data. Your personal data is processed both on paper and electronically and/or automatically.
The Controller will process personal data for the time necessary to fulfill the above-mentioned purposes and, in any case, for no more than 10 years from the termination of the relationship for Service Purposes and no more than 2 years from data collection for Marketing Purposes.
4. Data Access
Your data may be made accessible for the purposes referred to in Articles 2.A) and 2.B):
- To employees and collaborators of the Controller in their capacity as designated personnel and/or internal processing managers and/or system administrators;
- To third-party companies or other entities (e.g., credit institutions, professional firms, consultants, etc.) performing outsourcing activities on behalf of the Controller as external data processors.
5. Data Communication
Without requiring explicit consent (per Article 24 letters a), b), d) of the Privacy Code and Article 6 letters b) and c) GDPR), the Controller may communicate your data for the purposes of Article 2.A) to supervisory bodies (such as IVASS), judicial authorities, insurance companies for service provision, as well as entities for whom communication is mandatory by law to fulfill stated purposes. These entities will process the data as independent data controllers.
Your data will not be disseminated.
Your data will be communicated only to competent and duly appointed subjects for the provision of necessary services to properly manage the relationship, ensuring the protection of the data subject’s rights.
Your data will be processed solely by expressly authorized personnel of the Controller, specifically including the following departments:
- Marketing Office
- Administration and Accounting Office
- Customer Assistance Office
- Programmers and Analysts
- Commercial Office
Your data may be communicated to third parties duly appointed as Data Processors, specifically to:
- Google Tag Manager: Analytics/Measurement, Content Personalization, Optimization;
- Couriers, Logistics Companies, Carriers;
- Consultants and freelancers, even in associated form;
- Banks, credit institutions, online payment systems;
Dissemination: Your personal data will not be disseminated in any way.
- via the appropriate link found at the bottom of any promotional email sent from the site lacasaitaliana.com;
- by sending an email to info@gruppocarillo.it;
- by accessing the "contact us" section on the website and sending a specific request for deletion/modification of the granted preferences or by writing to Gruppo Carillo S.p.A., at Via Bosco Fangone - Località Interporto di Nola - Lotto H – Blocco F – Mod. 1 - 80035 NOLA (Na);
Consent may also be revoked with reference only to automated contact systems.
c. for profiling purposes
With your specific consent, Gruppo Carillo S.p.A. may process your data to understand your habits and interests and offer you products and services to your liking. To pursue this purpose, the Company may process the data referred to in the previous paragraph, letters b) and c). The given consent can be revoked at any time using the following methods:
- via the appropriate link found at the bottom of any promotional email sent from the site lacasaitaliana.com;
- by sending an email to info@gruppocarillo.it;
- by accessing the "contact us" section on the website and sending a specific request for deletion/modification of the granted preferences or by writing to Gruppo Carillo S.p.A., at Via Bosco Fangone - Località Interporto di Nola - Lotto H – Blocco F – Mod. 1 - 80035 NOLA (Na)
d. for the communication of your data to third parties for marketing purposes
With your specific consent, Gruppo Carillo S.p.A. may share your data with third parties who may process them to send their own commercial communications using automated systems (e.g., email, SMS, app notifications) and traditional systems (e.g., postal mail). For this processing purpose, the data referred to in the previous paragraph, letter b), will be used. The given consent can be revoked at any time using the following methods: - via the appropriate link found at the bottom of any promotional email sent from the site lacasaitaliana.com;
- by sending an email to info@gruppocarillo.it;
- by accessing the "contact us" section on the website and sending a specific request for deletion/modification of the granted preferences or by writing to Gruppo Carillo S.p.A., at Via Bosco Fangone - Località Interporto di Nola - Lotto H – Blocco F – Mod. 1 - 80035 NOLA (Na);
Categories of subjects to whom personal data may be communicated and purpose of communication
The Data Controller may communicate some of your personal data to third parties for the same purposes, who will process your personal data as Data Processors. The list of Data Processors can be requested from the Data Controller at any time by writing to info@gruppocarillo.it.
Data retention period and duration of processing
Your Personal Data will be processed using automated tools for the time strictly necessary to achieve the purposes for which they were collected. Specifically, Personal Data concerning your identification details will be processed:
- if purchases are made on the Site, for a maximum period of ten years from the conclusion of the contract; if no purchase is made, for a maximum period of 24 months for direct marketing purposes, and for a maximum period of 12 months for profiling purposes (in compliance with the Privacy Guarantor's provision of February 24, 2005). Gruppo Carillo S.p.A. will instead retain Log Files and IPs for the longest limitation period provided by law for online fraud.
Data subjects' rights - Information and access to personal data
We inform you that, in compliance with current regulations, you may exercise the following rights towards the Data Controller at any time, where applicable:
Right of access - (Article 15 EU GDPR)
The data subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed and, in such case, the right to access such data and the information related to the purposes of processing, categories of personal data concerned, recipients or categories of recipients to whom the data have been or will be disclosed.
Right to rectification - (Article 16 EU GDPR)
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Right to erasure (“right to be forgotten”) - (Article 17 EU GDPR)
The data subject has the right to obtain the erasure of personal data concerning them without undue delay (the Data Controller has the obligation to erase personal data without undue delay in the cases provided for by Article 17 of the Regulation).
Right to restriction of processing - (Article 18 EU GDPR)
The data subject has the right to obtain restriction of processing in the cases set out in Article 18 of the Regulation.
Right to data portability - (Article 20 EU GDPR)
The data subject has the right to receive, in a structured, commonly used, and machine-readable format, the personal data concerning them in our possession; the right to transmit such data to another data controller without hindrance from the data controller to whom they have provided them in the cases set out in Article 20 of the Regulation.
Right to object - (Article 21 EU GDPR)
The data subject has the right to object at any time: (i) for reasons related to their particular situation, to the processing of personal data concerning them pursuant to Article 6, paragraph 1, letters e) or f), including profiling based on these provisions; and (ii) if their data are processed for direct marketing purposes, including profiling to the extent related to such direct marketing.
These are the rights recognized under Regulation (EU) 2016/679 (GDPR) in Articles 15 - “Right of access,” 16 - “Right to rectification,” 17 - “Right to erasure,” 18 – “Right to restriction of processing,” 20 – “Right to data portability,” within the limits and conditions provided for in Article 12 of the Regulation.
Such requests may be addressed to the Data Controller using the following methods:
- via the appropriate link found at the bottom of any promotional email sent from the site lacasaitaliana.com;
- by sending an email to info@gruppocarillo.it;
- by accessing the "contact us" section on the website and sending a specific request for deletion/modification of the granted preferences or by writing to Gruppo Carillo S.p.A., at Via Bosco Fangone - Località Interporto di Nola - Lotto H – Blocco F – Mod. 1 - 80035 NOLA (Na);
We also inform you that under current regulations, you may file any complaints regarding the processing of your personal data with the Data Protection Authority.